IN THE CLAIMS 

Cancel Claims 2, 3, and 12, without prejudice. 
1. (Currently Amended) An authentication intrusion detection system responsive to 
an attempted intrusion into a local computer system to which access is gained by 
prospective users entering a personal identifier followed by a secret authenticator, said 
authentication intrusion detection system comprising: 

a local computer system authenticator file communicating with said local 
computer system and having stored therein the secret authenticators corresponding to the 
personal identifiers entered by prospective users; 

an authenticator broker system to intercept and redirect the identifier and secret 
authenticator of a prospective user from the local computer system; 

an authenticator broker file conmiunicating with said authenticator broker system 
and having stored therein the secret authenticators corresponding to the personal 
identifiers entered by the prospective users at the local computer system and stored in the 
local computer system authenticator file, whereby a prospective user can gain access to 
the local computer system when the authenticator entered by the prospective user 
matches the authenticator stored in said authenticator broker file; and 

a decoy authenticator file communicating with the authenticator broker system to 
assign a decoy authenticator for the secret authenticator entered by the prospective user at 
the local computer system and stored in the local computer system authenticator file^ 
wherein said decoy authenticator file is a mapping file and wherein a replacement 
identifier is randomly assigned by said mapping file for the identifier entered bv the 
prospective user and intercepted by said authenticator broker system . 
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2. (Cancelled) 

3. (Cancelled) 

4. (Currently Amended) The authentication intrusion detection system recited in 
Claim ^ JL wherein said replacement identifier assigned by said mapping file for the 
identifier entered by the prospective user and intercepted by said authenticator broker 
system is unique to the prospective user. 

5. (Currently Amended) The authentication intrusion detection system recited in 
Claim 3t 1, wherein said replacement identifier assigned by said mapping file for the 
identifier entered by the prospective user and intercepted by said authenticator broker 
system is unknown to the prospective user. 

6. (Original) The authentication intrusion detection system recited in Claim 1, 
wherein said authenticator broker system is a host computer that is responsive to the 
prospective user's attempt to gain access to the local computer system and to any 
intrusion into the local computer system. 

7. (Original) The authentication intrusion detection system recited in Claim 6, 
wherein said host computer is a mainframe computer. 
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8. (Currently Amended) The authentication intrusion detection system recited in 
Claim 7, further comprising a mapping file communicating with the authenticator broker 
system to assign d said replacement identifier stored in said mapping file for the identifier 
entered by the prospective user at the local computer system and intercepted by said 
authenticator broker system, said authenticator broker system, said mapping file and said 
decoy authenticator file being located at said mainframe host computer. 

9. (Currently Amended) A method for detecting a compromise by an intruder to a 
local computer system that requires authorized users to log onto the local computer 
system by means of successfully entering a personal identifier and a secret authenticator 
for purposes of user authentication, said method comprising the steps of: 

intercepting the secret authenticator entered by the authorized user at the local 
computer system and forwarding the secret authenticator to an authenticator broker 
system; 

transmitting from the authenticator broker system to the local computer system a 
decoy password in substitution of the secret authenticator of the authorized user; and 

logging the authorized user onto the local computer system on the basis of the 
decoy password transmitted to the local computer system from the authenticator broker 
system; 

whereby an intruder who breaks into the local computer system will capture and 
enter the authorized user's personal identifier and the decoy password substituted for the 
authorized user's secret authenticator to be forwarded to the authenticator broker system 
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by which to provide an indication that the local computer system has been compromised^ 
and 

wherein the authorized user accesses a plurality of local computer systems, each 
local computer system being identified in a system identifier mapped to each decoy 
password and secret authenticator, and wherein the identification of a compromised local 
computer system is determined by the system identifier thereof . 

10. (Original) The method recited in Claim 9, including the additional step of 
storing the decoy password in an authenticator file of each of said local computer system 
and said authenticator broker system. 

11. (Original) The method recited in Claim 9, including the additional step of 
maintaining the decoy password in secrecy from the authorized user. 

12. (Cancelled) 

Please enter the following new claims: 

13. (New) A method for detecting unauthorized access and an intrusion into a local 
computer to which access is gained by a user signing on with a local identifier and a 
secret authenticator to identify himself to the local computer, said method comprising the 
steps of: 



C:\Data\CUentsW IPVAmendment.y IP- 1 02.doc 



5 



transmitting the user's local identifier and secret authenticator to an authentication 
broker system and associating the secret authenticator with a corresponding mapped 
identifier stored on the authentication broker system; 

verifying on the authentication broker system the mapped identifier with the 
secret authenticator to authenticate the user; 

retrieving a decoy authenticator and returning the decoy authenticator and the 
verification of the user to the local computer; 

assigning a random replacement identifier for the local identifier entered by the 
user during sign on; and 

associating the decoy authenticator with the local identifier at the local computer. 

14. (New) The method recited in Claim 13, wherein said authentication broker is 
located on a host computer that is remote from the local computer system. 

15. (New) The method recited in Claim 14, wherein said remote host computer is a 
mainframe computer. 
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